op-supervisor: local-safe reorg support

[protolambda]

Description

Start of reorg support. This handles the reorg case where a local-safe block is not actually cross-safe.

When a local-safe block is detected to conflict:

1. Send update to chains-DB to roll back, and insert a replacement block entry into local/cross-safe DB.
2. Use feed to have connected sync nodes proactively follow the replacement block, rather than finding cross-safe conflicting later (at which point we then also need to handle replacement)
3. Sync nodes should insert the replacement block with a reorg, mark it as safe, and then then trigger a reset, so the nodes continues to derive on top of this cross-safe block.
4. Sync nodes should publish the replacement-block as event. Instead of a derived-from event. This can then be watched by the supervisor, and marked as cross-safe.

Tests

• Unit tests for block-replacement tx
• Action test for e2e block replacement example
• Updated existing test from tyler, that now reorgs out the bad tx, rather than halting cross-safe progression.

Additional context

Metadata

After this we still have two types of reorgs:

• L1 reorgs, and we need to roll back the supervisor (simple, already keyed by L1 blocks)
• L2 unsafe block conflicts: we won't know what is and isn't valid. We might need some heuristics here, to choose an unsafe chain that can be recovered, and remove the rest asap, so it's not batch-submitted.

[codecov]

Codecov Report

Attention: Patch coverage is 38.40399% with 247 lines in your changes missing coverage. Please review.

Project coverage is 45.24%. Comparing base (9580179) to head (4ed049d).
Report is 22 commits behind head on develop.

Files with missing lines	Patch %	Lines
op-supervisor/supervisor/backend/db/update.go	0.00%	67 Missing ⚠️
op-supervisor/supervisor/backend/db/query.go	0.00%	51 Missing ⚠️
op-node/rollup/interop/managed/system.go	0.00%	42 Missing ⚠️
op-supervisor/supervisor/backend/syncnode/node.go	0.00%	25 Missing and 1 partial ⚠️
op-node/rollup/interop/managed/attributes.go	86.90%	7 Missing and 4 partials ⚠️
op-service/eth/types.go	0.00%	7 Missing ⚠️
...-supervisor/supervisor/backend/db/fromda/update.go	36.36%	7 Missing ⚠️
op-supervisor/supervisor/backend/db/fromda/db.go	66.66%	4 Missing and 2 partials ⚠️
...r/supervisor/backend/processors/chain_processor.go	0.00%	5 Missing ⚠️
op-supervisor/supervisor/types/types.go	0.00%	5 Missing ⚠️
... and 10 more

Additional details and impacted files

@@             Coverage Diff             @@
##           develop   #13645      +/-   ##
===========================================
- Coverage    47.04%   45.24%   -1.80%     
===========================================
  Files          973      917      -56     
  Lines        81123    76680    -4443     
  Branches       776      776              
===========================================
- Hits         38161    34693    -3468     
+ Misses       40003    39258     -745     
+ Partials      2959     2729     -230     

Flag	Coverage Δ
cannon-go-tests-32	?
cannon-go-tests-64	?
contracts-bedrock-tests	88.45% <ø> (-2.37%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
op-node/rollup/derive/deposit_source.go	100.00% <100.00%> (ø)
op-node/rollup/engine/engine_reset.go	86.20% <100.00%> (ø)
op-node/rollup/engine/payload_success.go	100.00% <100.00%> (ø)
op-node/rollup/sequencing/origin_selector.go	94.35% <100.00%> (ø)
...pervisor/supervisor/backend/cross/safe_frontier.go	100.00% <100.00%> (ø)
op-node/rollup/attributes/attributes.go	68.38% <0.00%> (ø)
op-node/rollup/derive/deriver.go	0.00% <0.00%> (ø)
...supervisor/supervisor/backend/cross/safe_update.go	71.00% <96.87%> (+2.86%)	⬆️
...ervisor/supervisor/backend/l1access/l1_accessor.go	24.17% <0.00%> (-0.27%)	⬇️
op-node/rollup/event.go	0.00% <0.00%> (ø)
... and 15 more

... and 84 files with indirect coverage changes

[axelKingsley]

Discussed synchronously, the API updates will be split out so we can land these separately

[axelKingsley]

This PR is more impactful than the title suggests, as it also contains things like AttributesToReplaceInvalidBlock, which is the implementation of block replacement to spec.

The Action testing makes this easy to approve, I can see that the supervisor and node both react correctly when a local-safe block is invalid in the cross-safe context.

I have a handful of comment, but none are blocking, so I've approved and will let you address as many of them as you like.

[axelKingsley]

Another thing I'm thinking about is:

	// It is called with the candidate, the block that will be invalidated.
	// The replacement of this candidate will effectively be "derived from"
	// the scope that the candidate block was invalidated at.

What I think this means is that, looking the local safe database, a given L2 block L2.A may appear as derived from L1.A, and then eventually when it is discovered to be cross-invalid, we invalidate it at the point it becomes invalid. So, if L2.A isn't found to be invalid until L1.Z appears, the database will feature a locally safe L2 block which is known to be invalid, at which point it is replaced with L2.A'. But link entries L2.A:L1.A, L2.A:L1.B... will still exist.

I think that's okay because it accurately describes the derivation information which is available at each L1 step, but I'm wondering out loud if any of our APIs might find a Local-Safe block L2.A and make some assumptions about the validity of that block. The node will totally forget about L2.A and will only know about L2.A'.

[zhiqiangxu]

Is it necessary to validate tx.ChainId() matches the actual chainid here?

[Inphi]

It's implicitly checked below when recovering the sender from the tx.